1. Field of the Invention
The present invention relates to an apparatus and method for detecting a traffic flooding attack and conducting an in-depth analysis using data mining that may rapidly detect a distributed denial of service (DDoS) attack, for example, a traffic flooding attack, developed more variously and firmly from a denial of service (DoS) attack, perform an attack type classification, and conduct a semantic analysis with respect to the attack.
2. Description of the Related Art
A traffic flooding attack represented by a denial of service (DoS)/distributed denial of service (DDoS) attack refers to an attack to make a normal service unavailable by depleting resources of a target network and computer system. Since such a traffic flooding attack may cause an incalculable amount of damage to a business, there is a demand for a security technology for rapidly detecting and handling a malicious access, an intrusion, and the like.
Conventional packet collecting methods for detecting a DoS/DDoS attack may enable a detailed analysis of an attack to be conducted. However, an expensive high-performance analysis system may be required and an extendibility in terms of installation and management may be insufficient.
In order to resolve such issues, a n intrusion detection methodology using management information base (MIB) information in a simple network management protocol (SNMP) is attracting attention. A traffic flooding attack detection using SNMP MIB information may be performed using a relatively small amount of system and network resources for collecting MIB information, and be provided with standardized network performance data. Accordingly, it is possible to support rapid and effective detection, when compared to a packet-based detection method.
A method of detecting a DDoS attack using SNMP MIB information may be classified into a protocol trend analysis, a diurnal traffic trend analysis, a method using a correlation between a specific attribute and attribute information in the MIB, and the like. However, most such methodologies have been used in a system developed depending on a function and property of an attack tool used for tests, and may have a disadvantage in that the entire algorithm is to be newly revised each time a new type of attack or tool is found.
According to recent research on study literatures, a number of interesting intrusion is detection systems using machine learning techniques and SNMP MIB information have been published, for example, a system for converting SNMP data into a probability density function and determining whether an intrusion occurs using a backpropagation-based artificial neural network, a system for detecting anomaly traffic in mobile adhoc networks by applying SNMP MIB information to a Bayesian classifier, a system for detecting an intrusion using an anomaly detection algorithm based on a principal component analysis, a system for detecting a traffic flooding attack and performing an attack classification using a support vector machine, and the like. However, such studies have the goal to solve the disadvantages of a traditional DDoS detection methodology so that they may overlook the advantages of a traditional methodology. In other words, the above mentioned machine learning methodology has been holding its ground only in the construction of an efficient system. It overlooked the mechanical interpretation on the system mechanism and it turned the core execution mechanism into a black-box. Therefore, more comprehensive system, even though it is rather heuristic, that can consider the hermeneutic advantages of traditional DDoS detection methodology is deemed to be desirable.
Accordingly, herein, although it is a heuristic methodology, a more comprehensive system considering hermeneutic advantages of the conventional DDoS detecting methodology may be suggested. A system for detecting a traffic flooding attack and performing an attack classification using SNMP MIB information, based on a C4.5 algorithm, in a decision tree corresponding to a representative prediction and classification model of data mining, may be designed and implemented. In addition, a semantic in-depth analysis for extracting and analyzing features included in the SNMP MIB information regarding the traffic flooding attack and the attack type in a form of a rule using association rule mining corresponding to a representative hermeneutic analysis model of the data mining may be conducted after a feature selection and reduction is performed using attribute subset selection with respect to the SNMP MIB information as data pre-processing. Automatic rule extraction and semantic in-depth interpretation of specific rules out of traffic flooding attacks and their data by attack is also expected to provide a positive possibility and to give a momentum for the development of new methodologies for the intrusion detection systems as well as a theoretical ground for intrusion detection and response system.